Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4783
Views
35
Helpful
21
Replies

Ask the Experts: Configuring, Troubleshooting and Monitoring Wireless Security Policies with Saravanan Lakshmanan

ciscomoderator
Community Manager
Community Manager

‎04-05-2013 12:19 PM - edited ‎07-03-2021 11:51 PM

Configuring, Troubleshooting and Monitoring Wireless Security Policies with Saravanan LakshmananWith Saravanan Lakshmanan

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about  how to monitor, troubleshoot and configure Wireless Networks using Security Protection Policies. It includes Rogue Detection, Rogue Location Discovery Protocol (RLDP), Rogue Detector, Rogue Rules, wireless intrusion detection services  (wIDS), Rogue Containment, AP Authentication, client exclusion features that touches Mobility, RF grouping from wireless LAN controller.


Saravanan Lakshmanan is a Customer Support Engineer in Cisco's Technical Assistance Center (TAC) specializing in Wireless Technologies.  He is an expert in debugging and troubleshooting Cisco Wireless LAN Controllers (WLANs), wireless LAN services, unified access points, wireless LAN security, autonomous APs, VoWifi, authentication authorization accounting (AAA), and radio frequency (RF). Lakshmanan helps solve high severity and critical wireless issues for Cisco's customers and partners.

Remember to use the rating system to let Saravanan know if you have received an adequate response.  

Saravanan might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Wireless sub-community Security and Network Management  shortly after the event. This event lasts through Friday April 19, 2013. Visit this forum often to view responses to your questions and the questions of other community members.

2 people had this problem
Labels:
0 Helpful
21 Replies 21

goncalo.girao
Level 1
Level 1
In response to Saravanan Lakshmanan

‎04-11-2013 04:28 PM 

Saravanan Lakshmanan wrote:
Get debug client output when the wireless client seeing the issue.
WLC>debug client 
GG -> Cant do it right now, not at the office.
If the client doesn't get an ip then it can't join wlc and success roaming is not possible.
GG-> I'm only not getting valid IP Address when the key is set to none (see attch image)
Screen Shot 2013-04-12 at 00.25.13.png
To achieve N datarate using N AP and Client follow this doc:
Configure 802.11n on the WLC
http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080a3443f.shtml
802.11n requires AES encryption to be enabled on WLANs used by 802.11n clients. You can use a WLAN with NONE as Layer 2 Security. However, if you configure any Layer 2 security, 802.11n requires WPA2 AES enabled to operate at 11n rates. Ensure that WMM is set to Allowed on the WLAN profile in order to achieve 802.11n rates.
GG-> WMM is set to Allowed. I'm using Mac os X Free open radius. Not sure how can I see encryption Type.
0 Helpful

goncalo.girao
Level 1
Level 1
In response to goncalo.girao

‎04-12-2013 01:33 AM

*apfReceiveTask: Apr 12 10:26:06.994: mac_address_client apfMsExpireMobileStation (apf_ms.c:5009) Changing state for mobile mac_address_client on AP f0:29:29:xx:xx:xx from Associated to Disassociated

*apfReceiveTask: Apr 12 10:26:06.994: mac_address_client Scheduling deletion of Mobile Station:  (callerId: 45) in 10 seconds

*apfMsConnTask_7: Apr 12 10:26:12.114: mac_address_client Reassociation received from mobile on AP f0:29:29:a9:16:20

*apfMsConnTask_7: Apr 12 10:26:12.114: mac_address_client 192.168.3.200 8021X_REQD (3) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1626)

*apfMsConnTask_7: Apr 12 10:26:12.114: mac_address_client Applying site-specific IPv6 override for station mac_address_client - vapId 2, site 'default-group', interface 'management'

*apfMsConnTask_7: Apr 12 10:26:12.114: mac_address_client Applying IPv6 Interface Policy for station mac_address_client - vlan 0, interface id 0, interface 'management'

*apfMsConnTask_7: Apr 12 10:26:12.114: mac_address_client STA - rates (8): 130 132 139 150 36 48 72 108 12 18 24 96 0 0 0 0

*apfMsConnTask_7: Apr 12 10:26:12.114: mac_address_client STA - rates (12): 130 132 139 150 36 48 72 108 12 18 24 96 0 0 0 0

*apfMsConnTask_7: Apr 12 10:26:12.114: mac_address_client 192.168.3.200 8021X_REQD (3) Deleted mobile LWAPP rule on AP [f0:29:29:a9:1e:50]

*apfMsConnTask_7: Apr 12 10:26:12.114: mac_address_client Updated location for station old AP f0:29:29:a9:1e:50-0, new AP f0:29:29:a9:16:20-0

*apfMsConnTask_7: Apr 12 10:26:12.115: mac_address_client 192.168.3.200 8021X_REQD (3) Initializing policy

*apfMsConnTask_7: Apr 12 10:26:12.115: mac_address_client 192.168.3.200 8021X_REQD (3) Change state to AUTHCHECK (2) last state RUN (20)

*apfMsConnTask_7: Apr 12 10:26:12.115: mac_address_client 192.168.3.200 AUTHCHECK (2) Change state to 8021X_REQD (3) last state RUN (20)

*apfMsConnTask_7: Apr 12 10:26:12.115: mac_address_client 192.168.3.200 8021X_REQD (3) DHCP required on AP f0:29:29:a9:16:20 vapId 2 apVapId 2for this client

*apfMsConnTask_7: Apr 12 10:26:12.115: mac_address_client Not Using WMM Compliance code qosCap 00

*apfMsConnTask_7: Apr 12 10:26:12.115: mac_address_client 192.168.3.200 8021X_REQD (3) Plumbed mobile LWAPP rule on AP f0:29:29:a9:16:20 vapId 2 apVapId 2

*apfMsConnTask_7: Apr 12 10:26:12.115: mac_address_client apfMsAssoStateInc

*apfMsConnTask_7: Apr 12 10:26:12.115: mac_address_client apfPemAddUser2 (apf_policy.c:223) Changing state for mobile mac_address_client on AP f0:29:29:a9:16:20 from Disassociated to Associated

*apfMsConnTask_7: Apr 12 10:26:12.115: mac_address_client Stopping deletion of Mobile Station: (callerId: 48)

*apfMsConnTask_7: Apr 12 10:26:12.115: mac_address_client Sending Assoc Response to station on BSSID f0:29:29:a9:16:20 (status 0) ApVapId 2 Slot 0

*apfMsConnTask_7: Apr 12 10:26:12.115: mac_address_client apfProcessAssocReq (apf_80211.c:5237) Changing state for mobile mac_address_client on AP f0:29:29:xx:xx:xx from Associated to Associated

*dot1xMsgTask: Apr 12 10:26:12.118: mac_address_client Station mac_address_client setting dot1x reauth timeout = 1800

*dot1xMsgTask: Apr 12 10:26:12.118: mac_address_client dot1x - moving mobile mac_address_client into Connecting state

*dot1xMsgTask: Apr 12 10:26:12.118: mac_address_client Sending EAP-Request/Identity to mobile mac_address_client (EAP Id 1)

*osapiBsnTimer: Apr 12 10:26:41.994: mac_address_client 802.1x 'txWhen' Timer expired for station mac_address_client and for message = M0

*dot1xMsgTask: Apr 12 10:26:41.994: mac_address_client dot1x - moving mobile mac_address_client into Connecting state

*dot1xMsgTask: Apr 12 10:26:41.994: mac_address_client Sending EAP-Request/Identity to mobile mac_address_client (EAP Id

0 Helpful

Saravanan Lakshmanan
Cisco Employee
Cisco Employee
In response to goncalo.girao

‎04-15-2013 06:05 PM

Please attach complete debug output to a file, this one not showing why client couldn't connect back to the roamed AP.

0 Helpful

goncalo.girao
Level 1
Level 1
In response to Saravanan Lakshmanan

‎04-15-2013 11:07 PM

Everything ok. Was the encription has you said. Ty

Sent from Cisco Technical Support iPhone App

0 Helpful

Saravanan Lakshmanan
Cisco Employee
Cisco Employee
In response to jmprats

‎04-11-2013 03:52 PM

What am I supposed to do with unclassified rogue AP?

//You can classify them using rogue rules. Ex: Managed ssid, any AP that are not joined to WLC and broadcasting your ssid will be classified under the rogue rule.

I understand that if they don't look a thread I can mark them as "Friendly External" to no receive more alarms about them. Is it ok?

//Yes, if it found to be legitimate AP then mark it is Friendly.

The problem is what happens  if this external Friendly AP change the SSID for a Managed SSID (an SSID is using our controller). Then, this AP is a threat, but is not longer detected for the controller as Malicious.

//Mostly, have seen deployment that admin configure the SSID that's not similar to their neighbor, However have seen giving common name like 'wallstreet' for ex: and later they change it to different one for their guest wlan. So there is intentional and accidental, if its your neighbor company you can always talk to their admin about it.

Is it a bug?

//No.

0 Helpful

davidhwei
Level 1
Level 1

‎04-17-2013 05:19 AM

Good morning,

I have a question. We are going to setup 6 Cisco AP1242AG access points in a huge warehouse. Can we use one SSID for all those devices at same time without VLAN setup? There will be one as master and all 6 devices can communicate via wired LAN, and each of them has its own IP on 192.168.0.x 255.255.255.0. There are about 60 mobile computers which have IPs on 192.18.0.x 255.255.255.0 in the warehouse and they are running an application to access the database.

Thanks a lot,

0 Helpful

goldnetps
Level 1
Level 1

‎04-17-2013 01:55 PM

Hey people,

I need some help in a problem. I have an access point model LAP-1261N, and it's came with LWAPP mode. But we don't have wireless controller. So, I need to migrate to autonomous mode.

I sow same example of configuration fron the old models like: 1130, 1242, 1100 and others. But, it doesn't works in the 1261 model.

Does someone knows how to do ?

Thanks;

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card